Intrusion Detection One of the publicized threats to security is the intruder, generally referred to as a hacker or cracker. 1
An analysis of intrusion attacks revealed that there were two levels of hackers. The high level were sophisticated users with a thorough knowledge of the technology. The low level were people who merely used the supplied cracking programs with little understanding of how they worked. 2
To prevent system from intrusion attacks, there are basically two things needed. 1. Make access controls for the system and the data. 2. Detect intruders quickly. 3
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. A fundamental tool for intrusion detection is the audit record. Some record of ongoing activity by users must be maintained as input to an intrusion detection system. 4
Basically, two audit records are used: 1. Native audit records: Virtually all multiuser operating systems include software that collects information on user activity. 2. Detection-specific audit records: A collection facilities can be implemented that generates audit records containing only the information required by the intrusion detection system. 5
Main approaches to intrusion detection. 1. Statistical anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. 2. Rule-based detection: Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder. 3. Signature-based detection: Performs simple pattern-matching and report situations that match a pattern corresponding to a known attack type. 6
Statistical Anomaly Detection Statistical anomaly detection techniques fall into two categories: threshold detection and profile-based systems. Threshold detection involves counting the number of occurrences of a specific event type over an interval time. If the count surpasses what is considered a reasonable number that one might expect to occur, then the intrusion is assumed. The threshold detection is not efficient. 7
Profile-based anomaly detection focuses on characterizing the past behavior of individual users or related groups of users and then detecting significant deviations. A profile may consist of a set of parameters, so that deviation on just a single parameter may not be sufficient in itself to signal an alert. The foundation of this approach is an analysis of audit records. To do that, the designer decides on a number of quantitative metrics that can be used to measure user behavior. Then current audit records are input to detect intrusion 8
Examples of metrics for profile-based intrusion detection: Counter: times of logins, command executed during a single user session, number of password failures, etc. Gauge: the number of logical connections assigned to a user application, the number of outgoing messages queued for a user process, etc. Interval timer: the length of time between successive logins to an account, etc. Resource utilization: number of pages printed during a user session, total time consumed by a program execution, etc. 9
Using the metrics, various tests can be performed to determine whether current activities fit within acceptable limits. Mean and standard deviation. Multivariate Markov process Time series Operational 10
Rule-Based Intrusion Detection Rule-based techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is suspicious. 11
Rule-based anomaly detection: historical audit records are analyzed to identify usage patterns and to generate automatically rules that describe those patterns. Similar to statistical anomaly detection, this method does not require knowledge of security vulnerabilities within the system. A rather large database of rules will be needed. Rule-based penetration identification: use rules for identifying known penetrations or penetrations that would exploit known weaknesses. Rules can also be defined that identify suspicious behaviors. 12
Examples: Users should not read files in other users personal directories. Users must not write other users files. Users who log in after hours often access the same files they used earlier. Users should not be logged in more than once to the same system. Users do not make copies of system programs. 13
Signature-Based Intrusion Detection Signature-Based intrusion detection cannot detect a new attack for which a signature is not yet installed in the database. Signature-based intrusion detections tend to use statistical analysis. 14
SYN denial of service attacks When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections telnet, Web, email, etc. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. 15
Here is a view of this message flow: Client SYN ACK Server SYN-ACK The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections. 16
Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system. The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections. 17
In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections. However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative. 18
A simple signature for the above attack might describe a series of TCP SYN packets sent to many different ports in succession and at times close to one another, as would be the case for a port scan. Similarly, some implementations of the protocol stack fail if they receive an ICMP packet with a data length 65535 bytes, so such a packet would be a pattern for which to watch. 19
Implementations of IDS An intrusion detection system (IDS) is implemented by combination of hardware and softwares. Usually, an IDS is a device, e.g. a separate computer, that monitors activity to identify malicious or suspicious events. An IDS is a network device or a program running on a network device (especially, a host-based IDS) 20
Most IDSs run in stealth mode, where an IDS has two network interfaces: one for the network (or network segment) being monitored and the other one to generate alerts and perhaps other administrative needs. The IDS uses the monitored interface as input only. It never sends packets out through that interface. So it is the perfect passive wiretap. 21
Cisco s IDS is composed of two primary components: IDS sensor: Standalone IDS 4200 series sensors, Catalyst 6000 IDSM sensor, Router and PIX Firewall sensors. Management console: UNIX director, CSMP (Cisco secure policy manager). 22